Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/conten.... The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA Štefan <Stefan.Kasala(a)posam.sk&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/conten... for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>> wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.

Hello, thanks for hints, I added request header dumps for keycloak server: curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool keycloak server log: 2016-09-09 11:38:40,825 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /admin/master/console/config 2016-09-09 11:38:40,826 INFO [io.undertow.request.dump] (default task-15) ----------------------------REQUEST--------------------------- URI=/auth/admin/master/console/config characterEncoding=null contentLength=-1 contentType=null header=Accept=*/* header=Connection=Keep-Alive header=X-Forwarded-For=10.231.79.183 header=X-Forwarded-Server=lb.our.domain header=User-Agent=curl/7.49.1 header=Host=machine01.our.domain:8081 header=X-Forwarded-Host=lb.our.domain locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.231.79.183:0 remoteHost=10.231.79.183 scheme=http host=machine01.our.domain:8081 serverPort=0 --------------------------RESPONSE-------------------------- contentLength=574 contentType=application/json header=Connection=keep-alive header=Cache-Control=no-cache header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Content-Type=application/json header=Content-Length=574 header=Date=Fri, 09 Sep 2016 09:38:40 GMT status=200 ============================================================== out: { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } Is it possible to configure keycloak / undertow to use X-Forwarded-Host header for absolute urls, or we have to forward original host to keycloak? Thanks Stefan From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Friday, September 9, 2016 9:38 AM To: KASALA Štefan <Stefan.Kasala(a)posam.sk>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer This is set from the HTTP request url, so it looks that your Keycloak is seeing ""http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth> as the request URL instead of "http://lb.our.domain/auth/admin/governance/console/config" . Maybe the set of X-Forwarded-Host on your LB side? Marek On 08/09/16 13:05, KASALA Štefan wrote: Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/conten.... The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth>, "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth>, "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA Štefan <Stefan.Kasala@posam.sk><mailto:Stefan.Kasala@posam.sk> Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/conten... for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>> wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.

Hello, Yes, my standalone.xml – undertow part: <subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> <filter-ref name="request-dumper"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> <filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core" /> </filters> </subsystem> SK From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Monday, September 12, 2016 8:53 AM To: KASALA Štefan <Stefan.Kasala(a)posam.sk&gt; Cc: Marek Posolda <mposolda(a)redhat.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Have you set proxy-address-forwarding=true? I thought that was supposed to look at X-Forwarded-Host. On 9 September 2016 at 11:45, KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>> wrote: Hello, thanks for hints, I added request header dumps for keycloak server: curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool keycloak server log: 2016-09-09 11:38:40,825 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /admin/master/console/config 2016-09-09 11:38:40,826 INFO [io.undertow.request.dump] (default task-15) ----------------------------REQUEST--------------------------- URI=/auth/admin/master/console/config characterEncoding=null contentLength=-1 contentType=null header=Accept=*/* header=Connection=Keep-Alive header=X-Forwarded-For=10.231.79.183 header=X-Forwarded-Server=lb.our.domain header=User-Agent=curl/7.49.1 header=Host=machine01.our.domain:8081 header=X-Forwarded-Host=lb.our.domain locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.231.79.183:0<http://10.231.79.183:0> remoteHost=10.231.79.183 scheme=http host=machine01.our.domain:8081 serverPort=0 --------------------------RESPONSE-------------------------- contentLength=574 contentType=application/json header=Connection=keep-alive header=Cache-Control=no-cache header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Content-Type=application/json header=Content-Length=574 header=Date=Fri, 09 Sep 2016 09:38:40 GMT status=200 ============================================================== out: { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } Is it possible to configure keycloak / undertow to use X-Forwarded-Host header for absolute urls, or we have to forward original host to keycloak? Thanks Stefan From: Marek Posolda [mailto:mposolda@redhat.com<mailto:mposolda@redhat.com>] Sent: Friday, September 9, 2016 9:38 AM To: KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>>; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer This is set from the HTTP request url, so it looks that your Keycloak is seeing ""http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth> as the request URL instead of "http://lb.our.domain/auth/admin/governance/console/config" . Maybe the set of X-Forwarded-Host on your LB side? Marek On 08/09/16 13:05, KASALA Štefan wrote: Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/conten.... The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth>, "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser@machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth"<http://machine01.our.domain:8081/auth>, "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA Štefan <Stefan.Kasala@posam.sk><mailto:Stefan.Kasala@posam.sk> Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/conten... for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala@posam.sk<mailto:Stefan.Kasala@posam.sk>> wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.